Add expiry and last-used tracking to API keys

[mikewheeleer]

Add API-key expiry and last-used tracking

Description

ApiKeyRecord in src/index.ts only stores { label, createdAt }. Keys minted via POST /api/v1/api-keys never expire and there is no record of whether a key has ever been used, making operational rotation and stale-key cleanup impossible. This issue adds an optional expiry on creation and lastUsedAt tracking, surfaced through the existing list endpoint.

Requirements and context

• Repository scope: StableRoute-Org/Stableroute-backend only.
• Accept an optional expiresInSeconds (positive integer, bounded to a sane max) on POST /api/v1/api-keys; compute and store expiresAt.
• Extend ApiKeyRecord with expiresAt?: number and lastUsedAt?: number.
• Surface expiresAt and lastUsedAt in GET /api/v1/api-keys (never the raw key).
• Add a small helper isKeyValid(record) that treats an expired key as invalid, ready for the auth middleware to consume; expired keys must not be usable for authentication.
• Keep DELETE /api/v1/api-keys/:prefix and the existing 201 create response shape backward compatible.

Suggested execution

• Fork the repo and create a branch
• git checkout -b enhancement/api-keys-25-expiry-lastused
• Implement changes
  • Write code in: src/index.ts — extend the record type, the create handler, and the list serializer; add isKeyValid.
  • Write comprehensive tests in: src/__tests__/index.test.ts — create a key with expiry, assert expiresAt in the listing, assert isKeyValid flips after expiry (use a tiny TTL).
  • Add documentation: document expiresInSeconds and the new list fields in README.md.
  • Add TSDoc on isKeyValid.
  • Validate security: never return or log the raw key; reject non-positive or oversized expiry.
• Test and commit

Test and commit

• Run npm run build, npm run lint, and npm test.
• Cover edge cases: no expiry (never expires), tiny expiry, invalid expiry value.
• Paste the full npm test output in the PR.

Example commit message

feat(api-keys): add expiry and last-used tracking

Guidelines

• Minimum 95 percent test coverage for impacted code.
• Clear, reviewer-focused documentation.
• Timeframe: 96 hours.

Community & contribution rewards

• 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
• ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.